Key Points:
- Illumina DNA sequencing machines are vulnerable to exploitation.
- Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have published advisories urging all impacted users to harden their security posture.
- Exploitation could lead to the leaking of extremely sensitive patient Personal Identifiable Information (PII) and Protected Health Information (PHI), as well as taking full control of the devices, and using them as a means by which to gain initial access to carry out other malicious activity.
Summary
DNA sequencing and bioanalysis machines produced by a California-based medical technology company known as Illumina are susceptible to being compromised by threat actors through the exploitation of two (2) critical vulnerabilities. A representative from the U.S. Food and Drug Administration (FDA) stated that if successfully compromised, cyber attackers could perform harmful actions at the operating system level, adversely affecting the accuracy of genomic data outcomes in medical diagnostic devices. This could lead to the devices yielding no results, false results, modified results, or even potentially exposing confidential data.[1] To mitigate the risk of future exploitation, organizations utilizing Illumina DNA sequencing systems must ensure that the software they are running is up-to-date, as well as taking manual measures to strengthen the network and system security posture. These include techniques like configuring Universal Copy Service (UCS) account credentials, minimizing network exposure to ensure that the machines are not reachable from the internet, and using secure remote access methods such as Virtual Private Networks (VPNs).
Background
Illumina is a leading biotech manufacturer whose devices are used by hospitals, medical labs, and other medical research facilities in 140 countries across the world.[2] The machines have two (2) specified uses with one (1) used for clinical diagnosis through sequencing human DNA, and the other being for research use only (RUO). Many of the devices have a dual-boot mode so that they can be used in both clinical and research settings.
Vulnerabilities
The flaws exist in machines utilizing Illumina's UCS, a key software that transfers patient data from the DNA sequencing machines to a centralized management architecture. The first and most severe vulnerability, tracked as CVE-2023-1968 (CVSS score of 10/10), allows UCS instruments to bind to unrestricted IP addresses[3], allowing unauthorized threat actors to observe all of the IP addresses on the network. This deep reconnaissance allows the threat actors to identify IP addresses that are capable of receiving malicious remote commands. The second flaw, tracked as CVE-2023-1966 (CVSS score of 7.4), is an unnecessary privileges vulnerability that could allow the threat actors to upload and execute malicious code remotely with SYSTEM privileges. If successfully exploited, the threat actors could take complete control of the device remotely, upload malicious code, change critical settings and configurations, alter DNA sequencing results, and exfiltrate sensitive protected health information (PHI).
Mitigating Risk
On April 5, 2023, Illumina sent Urgent Medical Device Recall and Product Quality Notifications to their customers, urging them to look for any signs of active exploitation, as well as giving instructions for defending against exploitation.[4] Both the U.S. Cybersecurity Infrastructure Security Agency (CISA)[5] and the FDA[1] have published advisories and warnings for healthcare providers and laboratory personnel. CTIX analysts urge any UCS customers to read the advisories and upgrade their software to the latest secure version immediately. If the devices cannot be immediately patched, Illumina has published mitigation techniques that will help to defend against future exploitation.
Conclusion
Cyber-attacks against the healthcare industry are on the rise, and the more technologically advanced the health sector gets, the more zero-day vulnerabilities will manifest in the wild. These attacks pose a major risk not just to patient privacy, but to critical infrastructure and national security as well. The exploitation of this sensitive technology could be a reconnaissance catalyst for cyber espionage campaigns to sabotage or alter the data of health and safety studies, as well as individual extortion through exfiltrated PHI data or ransomware attacks. At the extreme, it could be a catalyst for a biological attack targeting certain genetic profiles. For example, a nation-state adversary to the U.S. could exploit this vulnerability to capture the genetic profile information of a high-profile individual such as a politician or journalist. With that information, they could stage a curated biological attack against the victim. At scale, the same methodology could be leveraged to conduct biological attacks against populations of people. CTIX analysts recommend that all healthcare organizations utilizing the affected Illumina products listed in the advisory patch the vulnerabilities and harden their infrastructure to provide defense-in-depth to protect patients and the industry itself.
[1] https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-affecting-universal-copy-service-software-may-present-risks
[2] https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-in-illumina-dna-sequencing-systems/
[3] https://www.scmagazine.com/news/device-security/vulnerability-illumina-genome-sequencing-medical-devices-ranked-10
[4] https://support.illumina.com/downloads/illumina-universal-copy-service-1-0.html
[5] https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
